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Abstract —Advances in both quantum computation and 
blockchain systems necessitate a rigid analysis for the security 
of blockchains in the advent of powerful quantum computers. 
Computational problems that are proved or believed to be 
intractable by classical computers are known to be attacked 
by well-studied quantum algorithms. Such problems are used 
as basis to secure blockchains and hence the security of such 
systems must be defended. As proof-of-work is used in early 
blockchains to maintain consensus, proof-of-stake was proposed 
to lower its high energy consumption and provide a higher 
network throughput. Proof-of-Stake has hence got an increasing 
interest, variations, implementations and enhancements whilst its 
quantum security defenses remained almost the same. By compar¬ 
ing proof-of-work to proof-of-stake, we find that the latter is more 
vulnerable to certain attack vectors. We suggest general defenses 
for quantum-resilient blockchains and thoroughly analyze post¬ 
quantum signature schemes to select an appropriate alternative 
to the most serious threat on conventional digital signatures. 

Keywords — Blockchain, Distributed Ledger, Proof-of-Work, 
Proof-of-Stake, Post-Quantum, Quantum Attack, Quantum Resis¬ 
tance 

I. Introduction 

Distributed ledgers are digital containers of data spread 
across a multiplicity of nodes in different locations. The 
data are replicated and synchronized so that a consensus is 
achieved between the participating nodes [1], Blockchains 
are distributed ledgers proposed and implemented in Bitcoin 
[2], The advent of Bitcoin as an arguably decentralized dig¬ 
ital currency brought a lot of interest in the potential of 
blockchain systems. Ethereum [3] provided another model to 
enable programmability over blockchains using smart contracts 
[4], Numerous derivatives relied on especially Bitcoin but 
also Ethereum design concepts to provide alternative imple¬ 
mentations or upgraded functionality and continued as their 
own projects. All of them provide security proofs to mediate 
between willing parties. 

The security advantages of blockchains rely on their under¬ 
lying cryptographic primitives, mainly one-way hash functions 
and standard digital signature schemes. To enhance such 
measures, for example in terms of anonymity and privacy, 
commitment schemes, accumulators, zero-knowledge proofs, 
ring signatures, and other primitives are also utilized in some 
implementations [5]. Digital signature schemes are critically 
used to sign and validate transactions. Elliptic curve digital 
signatures are widely employed and the hardness of them is 
based on the discrete log problem, which is believed to be 
hard on classical computers. On a quantum computer; however. 


Shor’s Las Vegas algorithms [6] can find discrete logarithms 
in polynomial evaluations of the input size. This forms a major 
threat to public key cryptography schemes in general, and 
specifically applies to Elliptic Curve Cryptography (ECC) that 
secures most of the blockchain systems. 

The mechanism of creating new assets involves proof-of- 
work (PoW) Hashcash [7]. As implemented in Bitcoin, it 
assists its peer-to-peer network with defenses against denial 
of service and spam by serving as a cost function and hence a 
throttling mechanism to accept a new asset creator considering 
the computational work invested. Its security is based on hash 
functions, specifically by finding a hash preimage of a pre¬ 
specified difficulty in order to claim a prize of assets, a process 
referred to as mining. Proof-of-stake (PoS) is an alternative 
to PoW that is gaining an increasing traction, variants, and 
implementations [8], It was first implemented in Peercoin 
based on [9]. As the name suggests, it depends on the asset 
stake of an owner in the network to create new assets, based on 
the belief that asset owners are less likely to attack the system 
[1]. This process is also referred to as mining, but staking is 
used to differentiate it from PoW mining. 

Aggrawal et al. [10] provided an estimate on the feasibility 
of quantum attacks on Bitcoin which is applicable to any 
PoW system. A review of the post-quatum signature schemes 
is also provided and a quantum-resilient alternative to the 
HashCash called Momenteum based on finding collisions in 
hash functions is analyzed. In this paper, we highlight the dif¬ 
ferences between current PoW and PoS usage of the standard 
digital signature schemes and hence find other attack vectors 
that are uniquely applicable to PoS systems. We extend the 
design considerations in [10] for quantum-resilient blockchains 
providing an up-to-date analysis of post-quantum signature 
schemes that are subject to standardization by the National 
Institute of Standards and Technology (NIST) and the Euro¬ 
pean Telecommunications Standards Institute (ETSI). We also 
consider schemes that are not submitted for standardization but 
are used in practice; by tracing their roots, security proofs, and 
cryptanalysis, considering their fitness for blockchain systems. 

The rest of this paper is organized as follows. In Section 
II, we define the typical blockchain structure primitives for 
PoW and PoS. We highlight asset creation, transacting, and 
retention mechanisms. In Section III, we provide a general 
quantum attack model and apply it to explain the attacks 
on PoS mechanisms. In Section IV, we provide system de¬ 
sign defenses for quantum-resilient ledgers and analyze post¬ 
quantum signature schemes to select an appropriate alternative 






Fig. 1. Generic blocks forming a blockchain. 

in Subsection IV-C. We conclude with Section V. 

II. Blockchain and Proof-of-Stake Concepts 

We briefly introduce a typical blockchain system compo¬ 
nents and mechanisms in order to recall certain ideas applica¬ 
ble to systems that follow the same abstractions. We consider 
the main blockchain components to be 1) a data structure, 
2) a distributed network, and 3) a consensus protocol. The 
mechanisms we consider are 1) asset creation, 2) transacting, 
and 3) asset retention. 

A. System Components 

1) A data structure: A Blockchain is an ordered chain 
of blocks linked together using cryptographic hash pointers 
as unique identifiers, see Figure 1. Each block contains a 
data body and a hash pointer to the previous block, which 
is a timestamped reference used to verify its integrity. The 
security of this hash is primarily subject to the features of 
the cryptographic hash function used to generate it. The first 
block, referred to as the genesis block, is mostly hard-coded for 
reference values. A typical block structure is shown in Figure 
2. Blocks contain headers and bodies. The block header hash is 
commonly referred to as the block hash. The header contains 
some metadata as the previous block hash, a nonce value, the 
root hash of a Merkle or a Merkle Patricia tree that forms the 
block body, and a timestamp. 

2) A distributed network: Blocks are constantly broadcast 
to the participants of a peer-to-peer network with nodes 
representing peers. They can engage in creating new blocks, 
accept and validate transactions, and broadcast them to other 
peers. 

3) A consensus protocol: Transactions that are broadcast 
to the network are included in new blocks. The time it takes 
for all nodes to be informed about the blocks leads to a 
problem of distributed consensus. Typically, each node verifies 
all transactions to prevent double spending and PoW alleviates 
Sybil attacks [11], In case of multiple valid blocks kl,k2 are 
broadcast over /,:, the eventual longest chain is followed. This 
means that eventually k3 will be built atop k 1 or k2 so that the 
other block is discarded. In PoS blockchains, variants of the 
same rule may include the asset stake and age in the longest 
chain calculation. 

B. System Mechanisms 

1) Asset creation: In PoW blockchains, a node involved 
in creating new assets is called a miner. Such node competes 
with other nodes to solve HashCash with a dynamic difficulty 
that maintains the block production to a pre-defined interval. 
Mining requires two evaluations of a hash function f on a 



Fig. 2. Typical block and transaction structures. 


created block to find a hash value, h = /(/ (block)). In PoS 
systems, new assets are created using a staking mechanism 
that requires participants to prove that they hold a stake of 
the network assets. Derivative PoS solutions based on the 
stack size, owner activity, and asset age are also used [1], 
In Peercoin, the coin age, or asset age, is a = ct, where c 
is the amount of assets and t is the time period of holding it 
[9]. To gain the privilege of creating a new block, an owner of 
some stake would create a transaction, sometimes referred to 
as the coinstake transaction, in which the assets are consumed 
and sent back to the owner. Consumption of the assets means 
that the asset age a is reset to zero. Other PoS variants use 
randomization methods to select the next block creator, but the 
staking transaction remains the same. 

2) Transacting: Transacting over a blockchain network 
requires public/private key pair generation. The public key is 
hashed to output an address, which can be used to receive 
assets. Transactions that are stored in a Merkle tree do com¬ 
monly use a transactional model called Unspent Transaction 
Outputs (UTXOs) [12]. The representative sum of spendable 
assets in this model is calculated through the total unspent 
transaction values. Each UTXO can be spent once. To transact 
over the network, an asset owner would use the private key, 
generated initially to receive assets, to digitally sign a hash 
of the received transaction. Normally, the respective public 
key is included for verification. A single transaction can have 
multiple inputs and outputs, see Figure 2. Each input represents 
a previous transaction, an index to its unspent output, and a 
signature script that contains both the signature and its public 
key. Each output contains the value of asset to spend and a 
public key script that contains either an address or a public key. 
Scripting provides some degree of programmability allowing 
multi-signatures and other contract forms and providing a 
level of transaction flexibility. As the UTXO model is used 
in Bitcoin and its derivatives; Ethereum and others use an 
account model in which transactions represent transitions in 
the account states, which in turn form the global state of the 
ledger [3], [4], Each account has a direct balance value and an 
internal storage which is programmable, allowing Ethereum to 
derive more flexible transactions that execute smart contracts 
which are arbitrary code scripts [4], However, in both models, 
the transaction mechanism requires the same cryptographic 
guarantees, and the public keys are published for signature 
verification. 






3) Asset retention: Asset retention refers to holding assets 
for time periods without transacting them. As previously 
mentioned, an asset amount is typically sent to an address, 
which is a hash of the receiver’s public key. The receiver, 
however; keeps the key itself unrevealed to the network. 

III. Quantum Attacks on Proof-of-Stake 

In general, a quantum attack would target the security 
of a system by invalidating its computational tractability as¬ 
sumptions. We utilize the random oracle model, restricting 
the attention to two well-known quantum algorithms, namely 
Grover’s and Shor’s. We use a quantum Turing computing 
machines (QTM) for demonstrating the attacks. They are 
universal, well-studied, and computationally equivalent to the 
quantum circuit model [13]. 

A. Attack Model 

Quantum algorithms are inherently probabilistic. They can 
be in a distribution of states with a certain probability to be 
in each of them whereas classical algorithms can be in one 
specific state. 

1) Grover’s Algorithm: Grover’s search algorithm [14] 
provides a quadratic speed-up enhancement over it’s known 
classical counterparts. Its asymptotic runtime complexity is 
6(\fN), where N is the cardinality of the domain, while the 
best-known classical algorithm has a lower bound of f l(N) 
runtime. As N = 2" in our case, it is proved [15] that the 
complexity class NP cannot be solved in of2 n / 3 ) time, or at 
least fl(2"/ 2 ) evaluations are required on a QTM. It follows 
that Grover’s 0(2"/ 2 ) is asymptotically optimal. It further 
cannot be parallelized rather than by dividing the search space 
N independently [16]. On a classical machine, it requires N/2 
average times to find a search result. Using [16], the number 
of oracle calls, /r, used to find a search result is as follows. 

H = 7 t/AVN 

In blockchain systems, Grover’s algorithm provides a faster 
query search against cryptographic hash functions that are used 
to generate the asset addresses and to secure the block and 
transaction hashes. 

2) Shor’s Algorithm: Shor’s algorithm solve the discrete 
log and factoring problems in random quantum polynomial 
(RQP) time [6], The RQP complexity class allows a small 
one-sided error probability while maintaining a polynomial 
runtime bound. In particular, for an input of N, a com¬ 
posite number, the time taken to find a nontrivial factor is 
0(log{N)) [17], which applies equally to discrete logs. The 
fastest known classical algorithm to solve the same problems, 
the general number field sieve, takes a sub-exponential time 
of 0(e c ( logN ^ v VwlogN) 1 "^ w here v is shown to be 1/3 [18]. 
In [19], it is shown that the number of qubits required to 
solve discrete logs of elliptic curves is less than for solving 
factorization of RSA. 

B. Attacks on Proof-of-Stake 

On PoW, the asset creation mechanism, or mining, is at¬ 
tacked with Grover’s algorithm to achieve its quadratic speed¬ 
up over classical mining. However, the advances and spe¬ 
cialization of Application-Specific Integrated Circuits (ASICs) 


may overcome this quadratic improvement [10], The transact¬ 
ing and retention mechanisms are affected by Shor’s algorithm. 
Even in the classical context, a transaction is essentially a 
race condition between the attacker A and transactor T. A 
targets cracking the digital signature to retrieve its private 
key. T targets transaction inclusion in a block so that it gets 
consensus. If A can retrieve the private key and publish a 
transaction that gets included faster than T, then A wins the 
race. On a quantum computer A uses Shor’s algorithm to 
speed up the private key retrieval using the broadcast public 
key and signature. For the retention mechanism, it is secure 
if an address is used once. This means that the public key 
is unknown, and hence Shor’s algorithm cannot be used. 
However, if the address is used multiple times, then the public 
key is broadcast in transactions and hence the retained assets 
are vulnerable to Shor’s attack. 

In PoS, both attacks on transacting and asset retention 
mechanisms for PoW are equally applicable. However, during 
the asset creation mechanism, the staking transaction is vul¬ 
nerable to Shor’s attack, which puts stakers at risk of losing 
assets by participating in the process. At the same time, such 
participation is necessary to accept and validate transactions, 
and secure the network against consensus attacks. 

IV. Defenses 

Considering our quantum attack model, we mention and 
extend defenses against those attacks for the existing and new 
ledger designs. 

A. System Design Considerations 

• Symmetric cryptography considerations. For algo¬ 
rithms affected by Grover’s attack, the same classical 
security levels are achieved by doubling the key size. 
For hash functions, also doubling the hash output bits 
given the best-known attack is a safe countermeasure. 

• Relying on addresses rather than public keys when 
possible. As an address is a hashed version of the 
public key, it is secure to publish it in contrast with 
broadcasting the public key itself. It shall be used in 
all applicable occasions. 

• Preventing address reuse. Spending assets from the 
same address is not only insecure in the quantum con¬ 
text, it is also vulnerable in the classical one. Reusing 
the same address reveals the public key and allows 
signature quantum attacks. In the UTXO model, and 
while sending any excess assets to a new address as 
a change incurs extra work, it is necessary to secure 
such assets. 

• Considering new digital signatures schemes. Post¬ 
quantum cryptography is increasingly maturing and 
can replace existing signature schemes that are vul¬ 
nerable to quantum attacks. Relying on such scheme 
for PoS would resist both attacks on the staking and 
transacting mechanisms. 

B. Post-Quantum Signature Schemes 

Post-quantum cryptography refers to classical algorithms 
that resist known attacks of powerful quantum computers. 



TABLE I. Possible post-quantum signature schemes for 

BLOCKCHAIN SYSTEMS 


Type 

Scheme 

Pub. key 

Signature 

Security bits 



[bytes] 

[bytes] 

[log 2 operations] 

1.1 

RANIBOW 

133,000 

79 

128 

1.2 

QUARTZ 

71,000 

16 

80 

1.3 

GeMSS 

352,190 

33 

128 

II. 1 

BLISS 

875 

625 

128 

II.2 

GLYPH 

2,000 

1,800 

128 

II.3 

FALCON 

897 

652 

112 

III.l 

XMSS 

912 

2451 

128 

III.2 

SPHINCS-256 

1,056 

41,000 

128 

III. 3 

SPHINCS+ 

64 

8,000 

128 

III.4 

Picnic 

64 

195,458 

128 

IV. 1 

Parallel CFS 

5,120,000 

60 

83 

V.l 

SIDH 

768 

141,312 

128 

V.2 

SIDH-c 

336 

122,880 

128 


We investigate and compare multiple post-quantum signature 
schemes proposed in literature, see Table I. They are catego¬ 
rized into (I) multivariate, (II) lattice-based, (III) hash-based, 
(IV) code-based, and (V) isogeny-based supersingular elliptic 
curves. 

In the multivariate scheme. Rainbow [20] is based on a 
generalization of the Oil and Vinegar construction to improve 
Unbalanced Oil and Vinegar (UOV) cryptosystems [21], They 
follow a generic reduction of quadratic UOV to the NP-hard 
complexity class. Known cryptanalysis [22] has shown 2' 1 
operations to attack the 2 80 security level. Another scheme 
is QUARTZ, built on basic Hidden Field Equations (HFE), 
specifically HFEV-, using the minus and vinegar modifiers. Its 
first version [23] was attacked using generic attack vectors in 
[24], and improved in [25]. Great Multivariate Short Signature 
(GeMSS) is a scheme based on QUARTZ. It uses the same 
underlying construction to extend the security levels and 
efficiency [26]. It is included in the second round of the NIST 
submissions. 

General lattices are based on Short Integer Solutions (SIS), 
and Learning with Errors (LWE) that can be reduced from 
worst-case to average-case [27]. Lattice-based schemes as the 
Bimodal Lattice Signature Scheme (BLISS) have a conjectured 
relation with the NP-hard Closest Vector Problem (CVP). 
Another scheme, the NTRU, has faced two decades of scrutiny. 
During that period, multiple NTRU family schemes were 
proposed. The first NTRU cryptosystem was described in 
[28], The Polynomial Authentication and Signature Scheme 
(PASS) by NTRU [29] was attacked in [30]. As a result, 
NTRUSign, which is based on Goldreich Goldwasser Halevi 
(GGH) signature scheme and the CVP problem, emerged [31]. 
A cryptanalysis of this scheme showed that its signatures leak 
information on the private key, which makes it recoverable 
using number of signatures which is quadratic in the dimension 
of lattice [32], A redesign, called pqNTRUsign was provided 
to NIST for standardization, but did not reach round two 
submissions. The official NIST comments show it vulnerable 
to chosen message attacks. The NTRU group also proposed 
FALCON [33], another digital signature redesign based on 
Gentry, Peikert and Vaikuntanathan (GPV) trapdoors [34] over 
NTRU lattices. FALCON-512 is added to Table I. 


Hash-based signature schemes rely on the underlying se¬ 
curity of their hash functions. Early signature systems as 
Lamport [35], Merkle’s size reduction [36], and later Win- 
ternitz further compression based on time-space tradeoff (W- 
OTS) [37], and its variant (W-OTS+) [38], are One Time 
Signatures (OTS). The extended Merkle Scheme (XMSS) and 
Leighton-Micali Signatures (LMS) [39], [40] are implemented 
in hash structures such as Merkle trees to achieve N-time 
signatures, bounded by the tree size. LMS and XMSS are 
stateful, which means that the state between signatures must be 
maintained. Stateless hash-based cryptosystems, as SPHINCS 
[41], also exist. SPHINCS+ [42], an improved variant in terms 
of signature and public key sizes, is included in the second 
round of the NIST submissions. A new family of hash-based 
signature schemes is based on non-interactive zero-knowledge 
proofs. A recent example is the Picnic scheme [43], which is 
based on ZKB++, an improvement of Faster Zero-Knowledge 
for Boolean Circuits (ZKBoo) [44], is also submitted to NIST’s 
second standardization round. A multi-target attack on Picnic 
was proposed and fixed in version 2.0 [45], 

Code-based McEliece is based on decoding a general linear 
coding, that is known to be NP-complete [46], Using binary 
Goppa codes, it held its stance against cryptanalysis; one 
known attack [47] has been presented with parameter tweaks 
to fix it. A variant of McEliece by Niederreiter was used to 
generate signatures based on the same security assumptions 

[48] , Such scheme is called Courtois Finiasz Sendrier (CFS) 

[49] , An attack on CFS [50] that required an increase in the 
parameters resulted in an impractical key size. A new variant 
of CFS was published to use the original CFS sizes and counter 
the attack, named Parallel-CFS [51], with no known attacks. 
However, there is no security proof for it. In this context, it 
is worth mentioning that most optimization trials to replace 
binary Goppa codes with other code constructions as Reed- 
Solman codes, quasi-cyclic codes, and others, were quickly 
broken [52], 

The first supersingular elliptic curve isogeny-based signa¬ 
ture scheme was introduced in [53] based on Strong Desig¬ 
nated Verifier Signatures (SDVS). Based on this scheme, and 
applying Unruh’s non-interactive zero-knowledge construction 
[54], SIDH and its compressed version SIDH-c [55] are 
obtained. We add both to Table I. 

C. Selecting a Post-quantum Signature Scheme 

As previously mentioned, ECC is widely used in 
blockchain systems, especially curves such as secp256kl for 
ECDSA and Ed25519 for EdDSA. To achieve /-bit security 
level of log 2 operations in such schemes, a level representative 
of the best-known attacks, a public key size of 2f and signature 
size of 4 1 must be chosen. For Schnorr’s scheme, 3 1 is 
sufficient to achieve the a t- bit security level [56]. For practical 
analysis, the theoretical public key and signature sizes are 
added to Table II. 

As blockchains are used in mobile devices, limited resource 
requirements such as processing power, memory and power 
usage for the signing devices do factor in selecting a signature 
scheme. Post-quantum schemes are in most cases comparable 
or even better in performance while compared to public key 
schemes that are widely used currently. Considering signature 



TABLE II. 


Factorization and Discrete Log schemes, at a 
128-bit security level 


Scheme 

Public key 

[bytes] 

Signature size 

[bytes] 

DSA 

384 

384 

RSA 

384 

384 

ECC 

32 

64 

Schnorr 

32 

48 


and public key sizes, a post-quantum scheme can be chosen. 
Code-based signatures provide the lowest performance of all 
post-quantum schemes. In the eventuality of finding new 
attacks that require increasing the parameters of CFS-parallel, 
the public keys can grow impractical. While multivariate 
schemes show strong security guarantees and good signature 
size, further optimization in public key size are required 
before practical usage. As hash-based schemes rely on minimal 
security assumptions, they are considered a strong candidate 
for blockchain systems, especially stateless schemes. Lattice- 
based signatures are also good candidates, based on the total 
size of public key and signature. 

V. Conclusion 

Signature attacks on blockchains threaten their security ad¬ 
vantages. Hash functions are less vulnerable to the advances of 
quantum computers and hence PoW is safer than PoS from this 
angle. However, both are vulnerable if signature schemes are 
not quantum-resilient. Generic design considerations can help 
in mitigating quantum threats and migrating to post-quantum 
signatures counters the most critical quantum advantage. We 
find lattice-based and hash-based signatures to be most suitable 
for such migration and specify which algorithms might be 
used. 
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